Mass Mailer bots
I have been cleaning a Windows XP machine infected by trojans and used all availble tools. The PC seems clean. None of the scanning tools show any more signs of Trojans.
I also have installed a program call RUbotted from Trend Micro because my inital callout has been email related (unable to send emails) because the IP has been blocked. Running the PC on my home network RUbotted does not detect any traffic for mass mailers however as soon as i start the PC at the customers network it detects mass mailer or spam bots.
How can that be and how are those spam bots working that it only detects them on the customers network. Can anybody shed some light on this.
I also have installed a program call RUbotted from Trend Micro because my inital callout has been email related (unable to send emails) because the IP has been blocked. Running the PC on my home network RUbotted does not detect any traffic for mass mailers however as soon as i start the PC at the customers network it detects mass mailer or spam bots.
How can that be and how are those spam bots working that it only detects them on the customers network. Can anybody shed some light on this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
bassman256
I have an exchange 2003 server with a growing queue in a spam smtp connector we configured, the mail appears to be coming from a mail bot on the network. We had a firewall breach and discovered a mass mailer on one server, although this was removed and the php code repaired, i think it may have installed a mail bot somewhere on the network. We only have one exchange server, we are not a relay, i have tested this, the mail queue grows if i disable the outside card, I have run wire shark on both cards and it shows no unusual entries for smtp, i assume it would have to be smtp for exchange to accept the mail into a queue, any ideas how i might determine the origin of the mail ?? I have network avg scanning all devices with no infection :( help !
ASKER
The best advise I can give you is install RUbotted from Trend Micro on every PC until you find the one sending the spam. At least you have isolated the problem to a single PC. Sorry can't be of more help.
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
Thanks for your help, we will try that :)
Another suggestion is to use Microsoft Network Monitor ( http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en ) or WireShark (www.wireshark.org) to capture the network packets and then, see the computers that are doing a SMTP or Broadcast and check on them. That might help.
the RUbotted program seems a little hit and miss, it runs on some PC's but not others etc (it is beta), however the exerminate program http://www.exterminate-it.com is excellent, it finds lots that AVG and trend wont find. I will try the MNM and report its findings. Thanks for your input :)
Hello bassman256, I am not sure about that exterminate program and if its any good or not. Best would be to ask a question in the anti-virus applications, anti-virus and anti-spyware category. I have seen some thread before where this program was not recommended.